Import SElinux module #477 #486
Conversation
yasminvalim
force-pushed
the
477-import-selinux
branch
2 times, most recently
from
6e31b30
to
586a029
Compare
|
Just a small note for your name in the Git config: You probably want You'll have to modify it in you |
yasminvalim
force-pushed
the
477-import-selinux
branch
from
ccb3d49
to
946531f
Compare
yasminvalim
force-pushed
the
477-import-selinux
branch
from
946531f
to
0a1b18e
Compare
yasminvalim
force-pushed
the
477-import-selinux
branch
from
7c08dc7
to
75142d6
Compare
|
I'm now trying to test manually, and while reading the documentation, I had a question: I understand that I can build it with custom files that I created and it will be translated from BU to Ignition. I think I am missing something. |
Noooo worries there are a lot of layers here. So, to test it locally we have to exercise your code which lives in butane, then we want to test that our expectation of what is required for the system to effectively implement the sugar is correct which is done by exercising existing code in ignition through first booting a fcos image. The simplest step is directly exercising your code by creating a butane config which references the sugar you added, and using your locally built butane to create an .ign file.
Now to exercise your assumptions for enabling a semodule you would then need to first boot a fcos vm with your ignition config. The simpliest way to do this is by using cosa
|
|
You can find an small example SELinux module (CIL) in coreos/fedora-coreos-tracker#1447 (comment) |
yasminvalim
force-pushed
the
477-import-selinux
branch
from
75142d6
to
6fc2da9
Compare
|
Hey there, I'm sharing my current approach for tackling this issue. I did have a few other ideas, but this one seems to be the most on point. I'm planning to commit the code I've been working on in the next few days, even though it might not be 100% ready, and it could potentially break my CI setup. Here's the plan I've got in mind. If you've got any cool ideas or questions that could help me sharpen things up, please don't hold back.
This current approach would look like that in a butane file: Your input would be awesome and thanks for your attention. |
|
The example Butane config should likely only include the content of the SELinux module: Then Butane would generate an Ignition config that:
|
|
Your approach is sound. It might make sense to create tests before making the functions. In this case in particular could be well suited for TDD, and just create a test like TestTranslateBootDevice which would fail until you create the translate code to build the sugar. Since you have a sound understanding of the input and the expected output. And as long as your spec changes are there you should be able to run the test with no compile errors. |
yasminvalim
force-pushed
the
477-import-selinux
branch
2 times, most recently
from
5b83d3c
to
48ed3ac
Compare
|
Hey folks, I am still having problem with unit tests. Currently, I am having this error and those are the logs. What I am missing here? |
yasminvalim
force-pushed
the
477-import-selinux
branch
from
48ed3ac
to
310a1f1
Compare
yasminvalim
force-pushed
the
477-import-selinux
branch
2 times, most recently
from
30a7dfa
to
87011dc
Compare
|
After spending time debugging, I'm still encountering similar errors to those I had before, despite making various changes. If anyone has any ideas about what might be causing this, I would appreciate. Thanks! |
yasminvalim
force-pushed
the
477-import-selinux
branch
2 times, most recently
from
a47e0b0
to
8149574
Compare
yasminvalim
force-pushed
the
477-import-selinux
branch
from
8149574
to
3940153
Compare
|
I've made few changes based on the review and debugged the code. However, I'm still uncertain about what's causing the issue in either the code or the test itself. Below is the current error. Please share any insights if you have them. 😸 |
yasminvalim
force-pushed
the
477-import-selinux
branch
3 times, most recently
from
1b6bae2
to
6f9bf5f
Compare
| "WantedBy=multi-user.target\n"), | ||
| Enabled: util.BoolToPtr(true), | ||
| }) | ||
| ts.AddFromCommonSource(yamlPath, path.New("json", "systemd"), rendered.Systemd) |
There was a problem hiding this comment.
So while this certainly passes the validate, I am having difficulty understanding why this should not be
ts.AddFromCommonSource(yamlPath, path.New("json", "systemd","units",len(rendred.systemd.units)), rendered.Systemd.units)
There was a problem hiding this comment.
And I think this is correct too.
| }, | ||
| }, | ||
| }) | ||
| ts.AddFromCommonSource(yamlPath, path.New("json", "storage"), rendered.Storage) |
There was a problem hiding this comment.
So while this certainly passes the validate, I am having difficulty understanding why this should not be
ts.AddFromCommonSource(yamlPath, path.New("json", "storage","files",len(rendred.storage.files)), rendered.storage.files)
There was a problem hiding this comment.
I think I understand this better now.
So I do think this is correct. It's saying that everything under and including the .storage key is associated with that module (after adding the index like I mentioned above, it'd be .selinux.module.0 -> .storage and -> .storage.files and so on). Essentially, we're not just adding a file and a unit because of this module, we have to add all the keys leading up to it. All keys in the output need a source translation associated, so e.g. .storage needs to be associated to something on the YAML side.
|
@yasminvalim the go 1.21 test should be fixed by #505. steps to update branchassuming origin is your fork and upstream is |
Thanks, I updated my branch and I will squash to have just one commit. 😸 |
Sorry I led you astray, the merge commit is nooooo good, the best thing to do is likely to undo your merge and just rebase git revert -m 1 a419de4 that way your fast-forwarded rather then merged into. |
yasminvalim
force-pushed
the
477-import-selinux
branch
from
a419de4
to
36f71f1
Compare
I think it's fine now, but not entirely sure because it's showing all the files updated in the old merge. Can you take a look, please? Also, can I use |
|
@yasminvalim I am a bit confused because this 36f71f1 should not be a thing. after reverting your merge it should have put you in a place with only your other commit. Once you revert the merge you can update your branch with the rebase pattern instead. |
yasminvalim
force-pushed
the
477-import-selinux
branch
from
36f71f1
to
7960a5b
Compare
config/fcos/v1_6_exp/schema.go
Outdated
|
|
||
| type Module struct { | ||
| Name string `yaml:"name"` | ||
| Content string `yaml:"content"` |
There was a problem hiding this comment.
I think probably this hsould be a Resource instead of a string. E.g. I can imagine wanting to keep this in a separate cil file and then using local.
There was a problem hiding this comment.
I did it, but I'm not sure if it's good enough.
I created a type 'resource' in v1_6_exp/schema as in the other versions to include it as a type for 'contents'.
The tests are working even with this change, so I think it's okay.
config/fcos/v1_6_exp/schema.go
Outdated
| @@ -50,3 +51,12 @@ type GrubUser struct { | |||
| Name string `yaml:"name"` | |||
| PasswordHash *string `yaml:"password_hash"` | |||
| } | |||
|
|
|||
| type Selinux struct { | |||
| Module []Module `yaml:"module"` | |||
There was a problem hiding this comment.
I think this should be
| Module []Module `yaml:"module"` | |
| Modules []Module `yaml:"modules"` |
List keys are pluralized (disks, filesystems, files, etc...).
There was a problem hiding this comment.
Nice! I changed it and also altered content to plural since the other examples are also using plural.
config/fcos/v1_6_exp/translate.go
Outdated
| var r report.Report | ||
|
|
||
| for _, module := range c.Selinux.Module { | ||
| rendered = processModule(rendered, module, options, ts, r, path.New("yaml", "selinux", "module")) |
There was a problem hiding this comment.
We should add the index to the path here so that e.g. module 2 is associated with the right output files and systemd units.
There was a problem hiding this comment.
Added the index path in the implementation and in the 'From Path' in test files. 👍
| }, | ||
| }, | ||
| }) | ||
| ts.AddFromCommonSource(yamlPath, path.New("json", "storage"), rendered.Storage) |
There was a problem hiding this comment.
I think I understand this better now.
So I do think this is correct. It's saying that everything under and including the .storage key is associated with that module (after adding the index like I mentioned above, it'd be .selinux.module.0 -> .storage and -> .storage.files and so on). Essentially, we're not just adding a file and a unit because of this module, we have to add all the keys leading up to it. All keys in the output need a source translation associated, so e.g. .storage needs to be associated to something on the YAML side.
| "WantedBy=multi-user.target\n"), | ||
| Enabled: util.BoolToPtr(true), | ||
| }) | ||
| ts.AddFromCommonSource(yamlPath, path.New("json", "systemd"), rendered.Systemd) |
There was a problem hiding this comment.
And I think this is correct too.
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage")}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files")}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0)}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "path")}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append")}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0)}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0, "source")}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "storage", "files", 0, "append", 0, "compression")}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "systemd", "units", 0, "name")}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "systemd", "units", 0, "contents")}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "systemd", "units", 0, "enabled")}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "systemd", "units", 0)}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "systemd", "units")}, | ||
| {From: path.New("yaml", "selinux", "module"), To: path.New("json", "systemd")}, |
There was a problem hiding this comment.
With the added index, you'd add 0 to all the From paths here.
config/fcos/v1_6_exp/translate.go
Outdated
| Name: module.Name + ".conf", | ||
| Contents: util.StrToPtr( | ||
| "[Unit]\n" + | ||
| "Description=Import SELinux module\n" + |
There was a problem hiding this comment.
This description should be templated.
There was a problem hiding this comment.
I saw in another file how it's done and managed to reproduce. Thank you for letting me know 🐱
config/fcos/v1_6_exp/translate.go
Outdated
|
|
||
| rendered.Systemd.Units = append(rendered.Systemd.Units, types.Unit{ | ||
| Name: module.Name + ".conf", | ||
| Contents: util.StrToPtr( |
There was a problem hiding this comment.
I would add a comment here (in the generated systemd unit) like:
# Generated by Butane
There was a problem hiding this comment.
Done, I've added the comment. Thanks. 😸
config/fcos/v1_6_exp/validate.go
Outdated
| if m.Name == "" && m.Content == "" { | ||
| r.AddOnError(c.Append("name"), common.ErrSelinuxContentNotSpecified) | ||
| r.AddOnError(c.Append("content"), common.ErrSelinuxContentNotSpecified) | ||
| } else { |
There was a problem hiding this comment.
I removed both this implementation and test.
There was a problem hiding this comment.
Thanks for your review :)
yasminvalim
force-pushed
the
477-import-selinux
branch
from
5086831
to
47441f1
Compare
It depends on fcos 1.6.0-experimental See: coreos#484 See: coreos#514 Fixes: coreos#517
Import SElinux module
We want to add sugar to butane which will allow users import costum SElinux module.
Related Issues
#477